Tuesday, 24 April 2012

[EN] Concrete5 5.2.1 CMS exploits

Yesterday I found few vulnerabilities in latest version of Concrete5 CMS.
I will  publish here more information soon.

Vulnerabilities are:
- sql injection;
- cross-site scripting;
- information disclosure;

For last two of them registered user is able to attack.
For sql injection (for now ;) ) only admin can trigger this issue (anyway it could be available via XSS).

If You need more information before I public it, let me know.


No comments:

Post a comment

What do You think...?